Project 2 Continuation
Chapter 2: Preparation—What to Do Before You Start
Overview
In this chapter, you'll learn more about:
· Identifying different types of hardware
· Checking for unauthorized hardware
· Keeping up with hardware trends
· Knowing various operating systems
· Knowing different types of file systems
· Identifying maintenance tools
· Knowing legal rights and limits
· Forming an incident response team
Be prepared! This motto is especially true for computer forensics. To do a thorough job, a computer forensic investigator should know the hardware, operating systems, file systems, and networking solutions associated with all equipment under investigation. Most organizations have incident response teams that can provide this information for forensic situations, or assist with its compilation.
As an investigator, you must know your legal limits and be familiar with local laws where the crime was committed or incident occurred. You'll also need to know the laws where perpetrators reside, to be sure that any case you build stands up in a court of law.
If you do most of the groundwork needed to build a case ahead of time, when that need arises you'll be able to complete the task more efficiently. This chapter guides you through the following processes.
Know Your Hardware
Information can be retrieved from many hardware devices, including internal and external hard drives, CD-ROMs, USB flash drives, Compact Flash devices, memory cards or sticks, and smartphones. Information stored on such devices is nonvolatile, and usually persists intact when such a device is powered off (and sometimes even after erasure).
By comparison, devices such as keyboards, monitors, and printers do not store data permanently (or at all). These devices are used to send data to and receive data from computers. After a computer is turned off, these devices do not truly store information. However, a trained computer forensic investigator who employs specialized techniques can often find data or evidence on these devices even when a system is powered off (as with printer buffers or onboard storage devices).
Because technology is constantly changing, keeping up-to-date on new devices and methods for communication is important. You must also determine which of these technologies and devices are permitted in an organization under investigation. That's because employees frequently use their own devices for convenience's sake, but intruders use them to gather information, often illicitly.
What I/O Devices Are Used?
Many of the terms used to describe computers or their components actually describe their capability, use, or size. Even though the word "computer" can apply to just about any device that contains a microprocessor, most of us think of a computer as a device that processes what we input using a keyboard or a mouse and then displays the results on a screen.
One of the first items on your planning agenda should be to list all types of input/output (I/O) devices used in the organization. This list will drive the selection of tools needed to analyze the information they contain. It will also give you a good idea of what areas could be susceptible to intrusion and might therefore need more monitoring.
Data transfer that occurs between the thinking part of the computer, or CPU, and an external device or peripheral. For example, when you type on a keyboard, that device sends input to the computer. Usually software directs the computer to output what you type on a screen.
Servers
In the early days of computing, mainframes were the primary repositories for storing and processing data. These were huge computers that filled entire rooms. As the power of computers has increased, their size has decreased. Many mainframes have been replaced by enterprise servers—although you'll still find mainframes in use, particularly in large enterprises. Mainframes generally involve large, specialized, expensive hardware systems from vendors such as IBM, Hitachi, HP (NonStop systems), Fujitsu, and NEC. Older models use proprietary CPUs, memory, and bus architectures. Enterprise servers, on the other hand, are generally modular, rack-mounted computers built around stock Intel or AMD server processors (such as Xeon and Opteron, respectively), and use standard memory packages and bus architectures. Price is also a major differentiator: It's easy to spend millions on a mainframe installation, but difficult to spend more than $500,000 on an entire equipment rack stuffed with server blades, storage devices, high-speed interconnects, plus redundant power supplies.
|
|
Note |
Servers can play various roles. By identifying the role that each server plays, you can more easily determine which tools you'll need. Common server roles include application, file, web hosting, print, e-mail, Voice over Internet Protocol (VoIP) services and messaging, and File Transfer Protocol (FTP). |
A computer with sufficient processing power and storage capacity to provide services to other computers over a network. Servers often include multiple processors, large amounts of memory, and many sizable hard drives. They also often incorporate two or more high-speed network interfaces (Gigabit Ethernet, also known as GbE, or better).
You should also determine where servers are situated. Are they accessed from the internal network only, from the external world (over the Internet), or both? This helps identify vulnerabilities, as well as protective measures that should be in place. This is important because, owing to the anonymity of networks and the Internet, attacks on all types of servers are increasing. The reasons for such attacks can be attributed to everything from simple curiosity to malicious intent.
Workstations
The term workstation used to refer to extremely powerful desktop computers most often used by research and development teams. Because technology has advanced so rapidly and a lot of processing power can be packed into a small machine, workstation is often used interchangeably with personal computer (PC) or desktop.
A high-end desktop computer that delivers enhanced processing power, significant memory capacity, and performs special functions, such as software or game development, CAD/CAM design, finite element analysis, and so forth.
personal computer (PC)
A personal computer intended for generic use by an individual. PCs were originally known as microcomputers because they were built on a smaller scale than the systems most businesses used at the time.
A PC designed to be set up in a permanent location because its components are too large or heavy to transport easily.
Although PCs and workstations can be used as stand-alone systems (for example, in a home environment), they are often linked together to form a local area network (LAN). Figure 2.1 shows the relationship between a server and workstations on a LAN.
Figure 2.1: Typical LAN setup
|
|
Warning |
You should maintain an inventory of workstations on the premises. You should also know who connects to the network remotely. |
In today's mobile society, telecommuting has become a way of life. Telecommuting saves overhead and energy costs. Many organizations hire contractors without providing them with work space on-site. This is an important factor to remember. Everyone has heard horror stories about people hacking into corporate networks through home computers. It can—and does—happen all the time!
John Deutch
One high-profile case is that of ex-CIA director John Deutch. He stored over 17,000 pages of classified documents on unsecured Macintosh computers in two of his homes. National security secrets were stored where almost anyone could access them. His computers, designated for unclassified use only, were connected to modems and regularly used to access the Internet and the Department of Defense (DoD). Family members were also allowed to use those same PCs.
Unsecured classified magnetic media were also found in Deutch's residences. A team of data recovery experts retrieved all data from Deutch's unclassified computers and magnetic media. The results of this inquiry were submitted to CIA senior management.
Deutch pled guilty to storing government secrets on unsecured home computers in exchange for receiving no prison time. Deutch was pardoned by President Bill Clinton hours before his presidency ended.
Workstation security is too often overlooked and under-appreciated. Yet this is one target that proves irresistible to intruders because it is a path of least resistance when deploying an attack.
Mobile Devices and More
Mobile devices include ordinary cell phones as well as smartphones. Cell phone design puts a strong emphasis on phone use; smartphones include a strong emphasis on Internet access and applications as well. Cell phones are more compact, feature smaller screens and keyboards, and aim more at basic voice communication with limited text-handling. Smartphones are somewhat larger with bigger, higher-resolution screens and keyboards that more easily accommodate text-handling, and feature basic Internet access (Web, e-mail, Twitter, and so forth) along with voice communications. At the moment, the Apple iPhone is the must-have smartphone, though other models from LG, HTC, and Motorola also inspire strong "gadget lust."
A catch-all term that refers to any of a number of handheld computing and communications devices, including cell phones, smartphones, handheld computers, and even so-called personal digital assistants (PDAs). All of these handheld devices have some or all of the following capabilities: general computing including web access and compact local applications (called apps), wireless Internet and networking components, wireless telecommunications, global positioning systems (GPSes), e-mail access, and phone/address book capabilities. Mobile devices generally use flash memory instead of a hard drive for storage to keep them as light and small as possible.
Mobile devices also encompass handheld computers and PDAs, which may also be referred to as palmtops or pocket computers. The two major categories in this case are handheld and palm-sized. The differences between the two are size, display, and method of data entry. Handheld computers tend to be larger, with larger liquid crystal displays (LCDs), and might use a miniature keyboard in combination with touch-screen technology for data entry (the Apple iPad is an interesting and popular example of this type). Palm-sized computers are smaller and lighter, with smaller LCDs and stylus/touch-screen technology or handwriting recognition programs for data entry. They can also include voice recognition technologies. A typical PDA can function as a cell phone, fax, web browser, and personal organizer. Figure 2.2 shows some typical mobile devices, including a cell phone, a smartphone, and an iPad.
Figure 2.2: Samsung 2G cell phone (left) and Apple iPhone (right) on top of an Apple iPad
Smartphones, handheld PCs, and PDAs are often designed to work in conjunction with a desktop or laptop PC. Communication to synchronize the device and the computer typically occurs via a USB cable. Many mobile devices can rest in a cradle while hooked up to a PC. Besides communicating via cable, mobile devices can use infrared (IR) ports or various wireless methods (such as 802.11b, 802.11g, 802.11n, and Bluetooth) to transfer data.
|
|
Warning |
All mobile devices are highly susceptible to theft because they are small, valuable, and frequently contain important or sensitive information. Many of them use wireless or infrared technology so that any data they transfer can be intercepted if it is not properly protected. |
Mobile devices, especially smartphones, remain some of the fastest selling consumer devices in history. You should know whether they are used on the network of the organization you're investigating because malicious individuals can use them to transfer sensitive information outside normal access controls, for later reuse or even resale.
Other Devices
Many other devices can be used to transport or transmit data. They mainly consist of removable media. When you think of removable media, you probably think of floppy disks or CDs and DVDs, which are used in floppy drives and CD/DVD-ROM/RW drives , respectively. An increasing number of Blu-ray Disc devices (which can accommodate 50 GB of data per recordable media blank) are also showing up in the workplace.
A drive, either internal or external, that is used to read and/or write CDs and DVDs. A CD can store large amounts of digital information (650 MB to 750 MB) on a very small surface. Single-sided, single-layer DVDs hold 4.70 GB while double-sided double-layer DVDs hold more than 17 GB of digital information. CDs and DVDs are incredibly inexpensive to manufacture.
In addition, you should be aware of other devices and determine if any of them are being used. For example, older storage media and devices are present in many workplaces. These include:
· floppy disks: There are several form factors called floppy disks. Capacities range from hundreds of kilobytes to a couple of megabytes. From most recent to oldest, they are:
3.5-inch rotating magnetic media in rigid but compact plastic shells
5.25-inch rotating magnetic media in flexible plastic shells
8-inch rotating magnetic media in flexible plastic shells
· zip disks : These are somewhat larger than conventional floppies and store hundreds of megabytes of data.
· Jaz disks : Removable, single-platter hard disks packaged in special protective plastic shells. These devices, which can store hundreds of megabytes and up to 8 GB, are basically hard disks (the drive mechanism) with removable media (the Jaz disks themselves).
Remember that for any kind of removable media (and this includes all kinds of tape formats and other lesser-known removable media from days of yore) a matching drive must be found, and then a driver for a PC or other computer used to access media contents. Putting together all the pieces of this sometimes pesky puzzle can make life interesting during forensic investigations.
USB flash drives (UFDs) come in many sizes, from 1 GB to as high as 256 GB (older models in the 16 MB to 512 MB range are also still kicking around). USB flash drives can be used for exchanging large files with someone, running an alternate or repair system on another computer (such as a laptop computer), and keeping certain files separate from files on a hard disk (for example, hacking utilities).
A small, portable, high-capacity flash memory device that attaches to a computer or mobile device via a Universal Serial Bus (USB) port.
Figure 2.3 shows various UFDs, all of which are small enough to fit into a shirt or pants pocket with ease. Many UFDs include password and encryption utilities, and there are many utilities available to protect UFD contents from third parties as well. Secure UFDs from vendors like IronPort are also available. These not only protect their contents, but also permit access to be managed and controlled remotely and centrally, even to the point of destroying a UFD that has been lost or possibly stolen.
A hard disk in an external enclosure with its own power supply and data interface(s). Nearly all external hard disks support USB; many support higher-speed interfaces such as eSATA or FireWire (IEEE 1394).
Figure 2.3: UFDs, ranging in physical size (tiny blue model and large Survivor model with waterproof case both hold 8 GB of data)
At the time of this writing, modern external hard drives come in capacities from 160 GB to as high as 4 TB. Many include backup utilities, and some even include encryption plus protection and password management utilities as well. You will learn about passwords, encryption, and decryption in Chapter 7, "Passwords and Encryption."
External hard drives (see Figure 2.4) come in two primary form factors nowadays: smaller, more portable units (which can accommodate as much as 2 TB) incorporate 2.5-inch notebook drives; larger, less portable but more spacious units (which can accommodate as much as 4 TB right now) incorporate standard 3.5-inch desktop PC drives.
Figure 2.4: Two external hard disks—160 FB 2.5" USB mini-jack type on top of 1.5 TB 3.5" USB Type B jack
Real World Scenario
Tales from the Trenches: A Preparation War Story
Computer forensic experts should heed the Boy Scout motto: "Be prepared!"
While working with a group of computer forensic specialists who were preparing for a trip to a "far off land" to recover information of "interest to the nation," we organized a list of every item that might possibly be needed during an extended stay. This team was assembled based on each member's unique talents and skills. We brainstormed for days, running through every scenario we could imagine to determine how best to prepare for the upcoming mission.
Our team developed a list incorporating all typical items you would expect for such a trip, including strong, secure shipping containers, appropriate commercial forensic recovery tools, a collection of hard drives of various sizes, commercial hard drive duplication hardware, and adapters to read assorted forms of media. We collected a copy of each operating system we anticipated seeing in the field as well as an assortment of application CDs and a variety of other software.
We conducted intensive "ramp up" training to bring all team members "up to speed" and "on the same page" with policies and procedures for this mission. Each team member was instructed on legal limits and requirements for conducting searches and seizing evidence in this foreign location. Everyone was reminded that any evidence located might later be used in court proceedings. Everyone was ready to go. We had planned for every possible contingency.
With all the preparation completed and the equipment safely packed away, the team departed for their new assignment, confident they had the training, equipment, and resources necessary to accomplish their mission. The team arrived on-site and began to set up lab equipment in a safe and secure location to protect their gear and to preserve the integrity of any evidence they processed. Members of the team were assigned to test the equipment to ensure everything worked properly. Other team members were dispatched to locate potential evidence to bring back to the lab for analysis.
Within a few days the team had begun to locate items of interest and began conducting forensic analyses of computers and hard drives. Each case was documented fully, and each investigation appeared to be running smoothly. All our prior planning appeared to be paying off and every part of the operation was running nicely. And then, right on time, Mr. Murphy made his much-dreaded appearance!
With every plan, no matter how well-conceived or executed, something always seems to go wrong. Usually it is something minor—something that typically would cost only a little time and money to fix—had we considered it before the team left home. It is usually something so trivial no one anticipates its occurrence. Here, it was something so important that the team was stuck until the problem was solved.
In this part of the world, old 5 1/4-inch floppy disks are still in use; and the team located a large collection of such disks that very possibly contained evidence linked to the investigation. The team had no blank 5 1/4-inch media on which to corral the evidence and, of course, no 5 1/4-inch disk drives were installed in any of the lab PCs. Even our training had skipped this issue, so younger members of the team had to be instructed in proper techniques for write-protecting such disks to safeguard evidence. New 5 1/4-inch media had to be flown in from another country along with brand-new 5 1/4-inch disk drives. While this did not stop the team from ultimately accomplishing their mission, it did cause a minor delay in processing time-critical information.
What can you learn from this? No matter how much planning and preparation you undertake, some-thing for which you are not prepared usually pops up. It certainly is nice when you can run down to a local computer superstore and buy whatever you need; but sometimes you just have to make do until proper supplies arrive. Planning is important, but so is another skill that the Scouts might just want to add to their list—an ability to improvise.
Networked printers, webcams, networked fax machines, and networked copiers also have vulnerabilities that can lead to data exposure or denial of service. They can be used as gateways for attacks on other systems. These types of I/O devices are often taken for granted, and their security is rarely questioned. Sometimes organizations use the same printers to print sensitive documents that they use to print public documents, such as announcements for company parties. Don't forget these devices as you inventory the environment.
Check for Unauthorized Hardware
Frequently, employees just assume that it's okay to install a device on the network or their PC. Unauthorized installations can present security issues to an organization. Once you have inventoried all approved devices in use in the organization you're investigating, it's time to look for installed hardware that isn't approved. You may be surprised at what you will find, if not astonished outright.
Modems
Modems are devices connected to a phone line that can be used to dial into a server or computer. Wireless modems convert digital data into radio signals and convert radio signals back into digital signals. Although modems are still in use in some geographic areas, they have been replaced (particularly in urban areas) by high-speed cable and digital subscriber line (DSL) solutions, which are faster than dial-up access.
A shorthand version of the words modulator-demodulator. A modem is used to send digital data over a phone line. The sending modem converts digital data into a signal that is compatible with the phone line (modulation), and the receiving modem then converts that signal back into digital data (demodulation).
Nevertheless, modems and modem pools or banks are still operational in corporations or SOHO (small office, home office) environments. Many companies still use modems so employees can dial into their networks and work from home. These modems are usually configured to be available to any incoming calls. War dialing takes advantage of these situations and targets connected modems set to receive calls without authentication.
Automated software that attempts to dial numbers within a given range of phone numbers to determine if any of those numbers are actually used by modems accepting dial-in requests.
|
|
Note |
War dialing was extremely popular years ago. In fact, it figured into the popular 1983 movie War Games starring Mathew Broderick, who dialed into a military missile control system and nearly started a world war while thinking he was simply playing a strategy game. However, because newer technologies have replaced connected modems set to receive calls without authentication, war dialing may be an unlikely threat for a LAN. It depends on how advanced an organization's technology might be. |
Real World Scenario
Tales from the Trenches: The Case of the Missing Modems
Security audits can—and very often do—turn up all kinds of unexpected elements in an organization's IT infrastructure. One case in point was an audit, followed by a datacenter move, that I helped to conduct for a major U.S. banking and financial services company.
In the process of conducting the audit, we discovered that the datacenter continued to maintain an even dozen analog phone lines through its PBX system (such lines are normally digital, and analog lines in this environment usually point to the presence of a modem somewhere). But while we could find the lines, try as we might, searching high and low, we couldn't find the modems that went with them.
The mystery was solved when we started to disassemble the raised-floor area in the datacenter. (In many datacenters, cabling and power leads are generally routed under the floor, and related equipment such as servers, power conditioners, cooling units, and so forth, sit on top of the floor.) As we started moving servers, we had to disconnect their cables, which perforce meant lifting the floor tiles to get at the cables and wires. Directly under one dozen of the one-hundred-plus servers in that room, we found our missing modems. It turned out the company permitted project administrators to request and use special modems to dial into their project servers so that they could be remotely restarted after hours and on weekends. They used special interface devices called POST boot cards that can recycle the power to a server and support what's called a "cold start" when a machine needs to be completely reset. Over time, records for these devices were misplaced or lost. The lines were kept live, and the modems kept running, but nobody knew where they were, or even that they were still up and running.
This discovery underscores the importance of systematic phone number and extension checking when conducting security surveys. Whenever a live modem is found, it needs to be located and documented. Even more important, such modems should only remain online if there's no other equipment available to perform the tasks that they handle. In our datacenter, for example, a gradual switchover from Compaq to Dell servers meant that the Dell Remote Access Controller (DRAC) devices that the bank had purchased for their new servers could have taken over the role that those mysterious modems were meant to handle. When it comes to modems, the cardinal rule of security has to be "Don't use them, if you don't need them!"
Cable and DSL modems are more popular these days. These devices are not vulnerable to dial-up attacks, but they present a danger because they maintain always-on connections to the Internet. Cable modems enable Internet access through a shared cable medium and users are actually on a LAN with all subscribers in their area, which means everything that travels to or from a connected machine can be intercepted by other cable users if the security features in the hardware are compromised.
Real World Scenario
Former Employee of Hostgator.com Sentenced to Prison for Computer Attack
On January 26, 2009, Cliff L. Wade, a former support technician at Hostgator.com, a Houston-based Internet service provider, was sentenced in a Georgia federal court to eight months in prison and three years of supervised release, plus a fine of $100, in connection with a scheme to intentionally damage his former employer's network and business.
In early October 2007, Wade moved to Atlanta, GA, from Houston, TX, and started work for a competitor organization without notifying Hostgator of his departure or his changed employment situation. After this time, Wade accessed the Hostgator system and intentionally executed various command and code functions to impair the integrity of Hostgator's customer support network. Hostgator.com neither authorized nor was aware of Wade's activities, and Wade's intrusion caused the company to suffer financial damages in excess of $5,000. Hostgator.com incurred a significant reduction in revenues, and also lost money from resulting damage assessments and the costs involved in restoring damaged data and programs to their proper states.
In the course of the investigation, computer forensic analyses conducted by the FBI revealed that, although Wade had attempted to erase all electronic traces of his identity or presence, those attacks could be linked by certain computer records to other computers outside Hostgator that were in use or otherwise controlled by Wade.
As you can see from this case, knowing who has access to what machines is important. The fact that Wade remained able to access to the computers at Hostgator, even after going AWOL, is revealing and informative. In fact, cases have been documented where former employees are able to access networks years after their termination dates.
Key Loggers
Key loggers record and retrieve everything typed, including e-mail messages, instant messages, and website addresses. To install a hardware key logger, you unplug the keyboard cable from the back of the PC, plug it into one end of a key logger, and then plug the other end into the PC. Figure 2.5 is a photo of the Keelog KeyDemon USB Hardware Keylogger.
Figure 2.5: The Keylog KeyDemon USB keylogger plugs in between the keyboard cable and the PC's USB port.
Device that intercepts, records, and stores everything typed on a keyboard into a file. This includes all keystrokes, even passwords.
Organizations use key loggers for the following reasons:
· As a tool for computer fraud investigations
· As a monitoring device to detect unauthorized access
· To prevent unacceptable use of company resources
· As a backup tool
So why are they on the list of unauthorized hardware? Simply put, anything can be used for bad intent, and unauthorized individuals can use key loggers to capture logins and passwords illicitly. Unless an organization uses them according to an explicit policy, key loggers should not be present on a network, or systems attached to a network.
|
|
Note |
Key logging is not restricted to hardware. Numerous key logging programs are readily available on the Internet. |
Software key loggers become easier to detect as time goes by because their log files grow. You'll eventually be able to tell when one is in use because available hard-drive space decreases markedly.
Real World Scenario
Key Logging Scam Targets Bank Users
On March 13, 2007, the U.S. Army website http://www.army.mil/NEWS/ reported from Fort Belvoir, VA, that soldiers, family members, and DoD civilians who use their home computers to access Thrift Savings Plan (TSP is a popular, widely used bank for military personnel, their families, and those who work for the military) could be vulnerable to information theft, and possibly theft of funds, as a result.
In the story, TSP officials indicated that they had identified numerous customers who had fallen victim to a key logging attack. The technique of keystroke logging was used in these cases to obtain TSP personal identification numbers and passwords, which in turn could provide access to identity information such as social security numbers (SSNs) in compromised accounts.
Michael Milner, Director of the U.S. Army Criminal Investigation Command (CIC) Computer Crime Investigative Unit, said that "personal information is increasingly available on 'keylogger' lists for sale through criminal networks and so far, all of the TSP cases involve the transfer of electronic funds, since criminals normally prefer the 'paperless' way to steal money." Milner also went on to say that users should take steps to protect themselves from key loggers and malware, and should promptly close their web browsers after visiting the TSP site. Even then, he also observed that "logging off a Web site does not clear a browser's memory, and subsequent users might be able to access the TSP account information."
According to the TSP, external penetration testing they conducted confirmed that TSP records had not been breached, but that personal information for those users whose keystrokes had been logged was compromised. The institution also identified some customers who had relatively small amounts with-drawn from their accounts. As a security precaution, TSP has discontinued making electronic payments for online transactions.
I/O Devices
Besides key loggers and modems, you may find lots of unapproved and potentially dangerous devices on an organization's network. The technologies behind many of them are discussed in the next section. Here is a list of some of these devices:
· Any UFD plugs into a USB port and saves up to 256 GB of data. Sizes vary, but these drives are affordable and no software is required to use them. These drives are also easily carried or concealed in pockets.
· Compact Flash drives (CFDs) and memory sticks of many kinds come in capacities up to 128 GB. These drives are also affordable and highly portable, and plug right into most notebook PCs and mobile devices.
· Secure Digital (SD) and miniature SD (miniSD) drives now come in capacities up to 64 GB (128 GB units are scheduled for release in 2011). Widely used in cell phones, cameras, and other portable devices, an increasing number of notebook PCs and portable devices now feature SD ports.
· A portable laptop drive can be only half an inch thick and weigh less than 4 ounces, yet it can store 1 TB.
The common factor in all of these devices is that they are small, hold a lot of data, and are easy to transport. Detecting that they are being used on a network can be challenging because they are easy to conceal, and their data transfer rates are fast. Corporate policy should address use of such devices.
USB Devices
In the early days of computing, each computer came with a limited number of ports to which you could attach devices. Printers connected to parallel printer ports, and most computers had only one port. Modems used the serial port, but so did Palm Pilots and digital cameras. Most computers had two serial ports. New technology was needed to support all of the I/O devices people wanted to attach to their computers.
Today, all laptop and desktop computers come with two or more Universal Serial Bus (USB) connectors. USB connectors let you attach devices to your computer quickly and easily. Compared to other ways of connecting devices to your computer, USB devices are simple and straightforward. USB devices you can attach to your computer include printers, scanners, modems, and storage devices of all kinds and sizes.
A connectivity standard that allows for the connection of multiple devices without the need for software or hardware.
You might need to attach more devices to a computer than you have USB ports. Purchasing an inexpensive USB hub enables you to connect additional USB devices to your computer. Figure 2.6 depicts a USB hub.
Figure 2.6: USB hub
The USB standard supports up to 127 devices per port, and USB hubs are covered in that standard. A hub typically includes four or more ports. Just plug a hub into any USB port on your computer, and then plug devices into the hub. You can add dozens of available USB ports to a single computer by chaining hubs together using USB cables.
|
|
Note |
USB standard version 2, which was released in April 2000, can support data rates up to 480 megabits per second (Mbps). USB standard version 3, released in November 2008 (the first commercial devices that implemented USB 3 became available in January 2010), supports data rates up to 5 gigabits per second (Gbps). At the time of this writing, USB 3 devices are starting to be widely available, but Intel isn't expected to support the standard until 2011. |
USB devices are also hot pluggable. This means they can be attached to and unplugged from the computer without turning off the system. No special settings are necessary to unplug the USB devices without damaging device data. Many USB data storage devices are tiny. For example, many UFDs are small enough to fit on a key ring. Just plug a UFD into your USB port, and the operating system (OS) recognizes it immediately, allowing you to transfer files at your convenience. When you're done, simply eject the drive, plug it into another system, and transfer the files to that system.
hot pluggable
Also called "hot swappable," a computer device such as an external drive that you can connect without having to power down the computer first.
FireWire
FireWire was originally developed by Apple and is now an official IEEE 1394 standard (more than 60 vendors belong to the 1394 Trade Association). At 400 Mbps, FireWire 1394a has base bandwidth nearly on par with USB 2 (a higher bandwidth 1394b version, called Firewire 800, runs at 800 Mbps). FireWire is well-suited for transferring large data files, and supports up to 63 devices on a single bus. Connecting to a device is similar to using USB.
An IEEE-1394 technology that implements a high-performance, external bus standard for rapid data transfer and streaming multimedia (such as video).
|
|
Tip |
Just like USB, FireWire is plug-and-play compliant and hot swappable, so you can connect and disconnect devices without shutting down your computer. |
Because this technology is well-suited for high-quality digital, video, and audio, FireWire is a good way to store pornography or proprietary company designs. It can also be used on a plug-in computer storage device, making it easy to copy and then remove tons of data.
Keep Up with I/O Trends
As new technologies emerge, so do ways for intruders to infiltrate networks. Because technology is always changing, you have to evaluate new technologies before those devices appear on your (or your clients') networks. You should spend some time reading about these new technologies as they are developed and marketed.
Everybody has become familiar with seeing people talking to themselves in public places, thanks to wireless in-ear headsets for mobile devices that are so small you can't even see them when a person's head is turned the wrong way. You have Bluetooth to thank for these moments of apparent lunacy, but as you'll see, Bluetooth provides a great deal more functionality than enabling wireless voice link-ups: Bluetooth also enables printer, network, and even data transfer links.
Bluetooth
Bluetooth was named after Harald Bluetooth, the king of Denmark in the late 900s. It doesn't require any special equipment to work. The devices simply find one another and begin communicating.
A standard developed to allow various types of electronic equipment to make their own connections by using a short-range (10 meter) frequency-hopping radio link between devices.
|
|
Note |
Bluetooth operates on a frequency of 2.45 GHz, which is the same radio frequency band as baby monitors, garage door openers, and newer cordless phones. |
The design process makes sure that Bluetooth and other devices don't interfere with one another. Bluetooth uses a technique called "spread-spectrum frequency hopping." This means a device will use randomly chosen frequencies within a designated range and regularly hop or change from one range to another. Bluetooth transmitters change frequencies 1,600 times every second.
Bluetooth covers an astonishing array of products (more than 11,000 of them as we write this chapter, according to the product list at Bluetooth.com). They include audio/visual, phone and headset, automotive, networking, and widespread computer applications. Wireless mice, keyboards, speakers, printers, and even USB extenders are all available in Bluetooth versions.
eSATA
To understand eSATA, you should first know that Serial Advanced Technology Attachment (SATA) was originally designed for high-speed internal connections for PC hard drives. Add an e for external on the front, and you get eSATA, a high-speed interface for external hard disks. As of 2009, modern PCs use SATA more or less exclusively for hard drives, and old-fashioned parallel interfaces serve only to support legacy devices.
eSATA
External Serial Advanced Technology Attachment (eSATA) is an interface technology that permits external hard drives to use the same high-speed SATA interface that internal hard drives use.
SATA comes in three generations, so eSATA devices do, too:
· SATA 1.5 Gbps is the first generation and supports data rates up to 1.5 Gbps. It's also known as SATA 1.0.
· SATA 3.0 Gbps is the second generation and supports data rates up to 3.0 Gbps. This exceeds the capability of all but the fastest solid state disks (SSDs), serial attached SCSI (SAS), and flash drives currently available in today's marketplace. It's also known as SATA 2.0.
· SATA 6.0 Gbps is the third generation and is a relatively recent introduction to the computing world (the standard was approved in July 2008, but devices and computer interfaces that implement the standard didn't hit the market until late 2009). It's also known as SATA 3.0.
Most eSATA devices (and interfaces) available today implement SATA 1.0 or 2.0, with 3.0 eSATA devices starting to enter the marketplace at the time of this writing. Over time, the newer and faster technology will garner more presence. The SATA (and eSATA) technology supports data transfers as fast as modern storage technology can go, especially in its 2.0 and 3.0 versions.
|
|
Tip |
Unlike FireWire and USB, eSATA devices cannot draw power through the PC interface. This means external power is required for eSATA, which makes it less convenient—and harder to conceal—than these other two interfaces. However, its astounding speed (and increasing availability of eSATA ports and flash drives) means security policies for external storage devices must mention eSATA. |
When it comes to modern external storage, eSATA and USB 3.0 represent the current pinnacle for bandwidth. Thus, these technologies are even better-suited for high-quality digital, video, and audio than FireWire. These, too, are compelling ways to grab and go out the door with pornography or proprietary company designs.
Other Technologies
In addition to the technologies we have already discussed, a few others are worth mentioning, especially wireless ones. The world of wireless is rapidly expanding, and you may find yourself investigating issues that involve capturing data through wireless devices. Here are brief descriptions of some of those technologies:
· 802.1 u x is a standard developed for wireless local area networks (WLANs). It utilizes port-based network access control. Current standards range from 802.11a to 802.11n.
· IR transmissions use an invisible light spectrum range for device communication, so the devices have to be in direct line of sight with each other.
· I-Mode is NTT DoCoMo's mobile Internet access system that originated in Japan.
· BlackBerry is an end-to-end wireless solution developed by Research In Motion Limited.
These technologies make our lives easier, yet they can pose a threat to any network environment. A wireless device advertises that it is out there, making it easy for an intruder to pick up and monitor.
Know Your Operating System
Once you have a good inventory of the I/O devices on the network and have identified what kind of unapproved devices you might find, you must enumerate which operating systems (and versions) are in use throughout the organization.
It used to be that you would find only one type of operating system on a network. With the advent of mobile computing, Internet business, and corporate mergers, networks have become more complex and diverse. Typical computer examinations must adapt to the fast-changing and diverse world in which computer forensic science examiners work. Before you can begin a forensic investigation, you must be familiar with various operating systems you might encounter.
Commonly Encountered Operating Systems
Not only do various operating systems exist, but each operating system has multiple versions, such as server and workstation, and new releases. How you handle and extract information from a computer running Linux will be very different from how you handle and extract information from a Windows computer.
Acts as a director and interpreter between the user and all the software and hardware on the computer.
Windows
Although you probably won't find it in use anymore, Microsoft's first attempt at a graphical operating system was Microsoft Windows 1 in 1985. Many subsequent versions of Microsoft Windows have been released. Table 2.1 highlights a few of the better-known versions of Windows that you might encounter on older systems.
Table 2.1: Early Windows Graphical Operating Systems
|
Version |
Release date |
Description |
|
Windows 1 |
1985 |
Microsoft's first attempt at a graphical operating system |
|
Windows 3.1 |
1992 |
Used in the early 1990s prior to creation of Windows 95 |
|
Windows 3.11 |
1993 |
Used in early 1990s prior to creation of Windows 95 |
|
Windows for Workgroups 3.11 |
1994 |
Allowed resource sharing between users without aid of a central authentication server |
|
Windows NT |
1994 |
NT stands for New Technology. It was rate environment and intended for use on high-powered servers and workstations |
|
Windows 95 |
1995 |
Popular in late 1990s; more than a million copies were sold in the first four days after it was released |
In 1995, Microsoft introduced Windows 95, which was a significant improvement over Windows 3.x and was Microsoft's first truly consumer-oriented graphical operating system for PCs. Windows NT came into its own with Windows NT 4: It was released in 1996 and became quite popular in the late 1990s. Then, along came Windows 98, followed by Windows 2000 and Windows Me (Millennium Edition). In 2001, Windows XP made its appearance, followed by Windows Server 2003. In 2006, Windows Vista was released, and two years later Windows Server 2008 came on the scene. Microsoft's latest release for workstations is Windows 7, and Windows Server 2008 R2 (Release 2) for servers. The most common Microsoft systems you will encounter are Windows XP, Windows Vista, and Windows 7.
UNIX/Linux
The UNIX operating system was originally created at AT&T's Bell Laboratories and licensed freely to most universities and research facilities. UNIX was designed to allow a number of programmers to simultaneously access a single computer and share its resources. The operating system coordinates the use of the computer's resources, and it controls all of the commands from all of the keyboards and all of the data being generated. It permits each user to work as if he or she were the only person working on the computer.
Bell Labs distributed the operating system in its source language form. By the end of the1970s, dozens of different versions of UNIX were available. The success of the UNIX operating system has led to many technologies that are part of the IT environment today. Although UNIX is often installed on mainframes, versions of UNIX have found their way into the PC world. Some of the different versions available are BSD, HP-UX, SCO, IBX AIX, Sun Solaris, and Digital.
Linux is a UNIX-like operating system that was written by Linus Torvalds in 1991. Originally named Freax, it was hosted on the Minix operating system. Linux is an open source operating system, which means that its source code is readily and freely available online, and that users can either purchase commercial distributions at low cost, or "roll their own" at no cost, if they prefer.
Code that the code creator makes available under a license that permits end users to freely redistribute, make modifications of, and create derivative works of the source code.
Ready availability has allowed thousands of people to contribute patches, fixes, and improvements. Installing Linux has become easier as the versions and products have evolved. The earlier versions were all text-based and, frequently, hardware support had to be compiled into the kernel. Newer versions have graphical-based installations, making the process much less complicated. Various versions of Linux are available. Some of the more popular ones are Mandrake, SuSE, Caldera, MkLinux, Debian, Slackware, and Red Hat. You will probably encounter Red Hat most often.
Macintosh and Mac OS
Apple introduced the Macintosh line of personal computers in 1984. The first Macintosh, or Mac for short, had 128 KB of memory and a unique design. The monitor and floppy disk drive were built into the same cabinet that housed its main circuitry. In 1994, Apple introduced the PowerMac. In 1998, the third generation of Macs was born with the release of the iMac.
Early versions of the Macintosh operating system were called System x.x, where x.x was the version number. With the release of Mac OS 8, however, Apple dropped the word "System." Now the versions are simply known as Mac OS with a version number. The most current version is OS X (so called because X is the Roman numeral for 10), based on the UNIX BSD operating system. Macs are popular for high-end users and graphic or drawing applications, such as CAD. You might encounter Mac OS 8, 9, and X.
Other Operating Systems
The first operating system used on the earliest IBM PCs was called the Disk Operating System (DOS). Microsoft's version of DOS is the most common one and is called MS-DOS. Those of you who have been around the computing environment for a while might remember that IBM Corporation also produced a DOS product called PC-DOS. If you run into a DOS machine, you probably won't find a mouse and you certainly won't find a colorful screen. To run a DOS operating system, you issue commands at a prompt on the screen.
Freespire, formerly called Linspire (and originally, Lindows), is a full-featured operating system like Microsoft Windows 7 or Apple Mac OS. It runs Windows applications on top of Linux so they appear as they would in a native Windows environment. Various virtual machine environments are also available for Windows, Linux, UNIX, and Mac OS. These environments permit various different guest operating systems to run on top of those host OSes as well.
Mobile device operating systems (smartphones and such) are not as complex as those for PCs. Mobile devices run a variety of operating systems that include 3Com's Palm OS, Symbian, Google Android, Microsoft Windows Mobile, or iPhone OS (iOS). Windows Mobile (version 7 is now shipping) is a Microsoft product that supports color displays, graphics, Word, Excel, and built-in MP3 players or MPEG movie players. Other mobile OS offerings likewise support a broad range of screen resolutions, dynamic input areas, improved network communication, and Bluetooth. Of these, Google Android appears to be grabbing ever-increasing mind and market share.
Know Your Local File Systems
File systems enable an operating system to find files requested from a hard disk. The file system keeps a table of contents of the files on the disk. When a file is requested, the table of contents is searched to locate and access the file.
An operating system's method for organizing, managing, and accessing files through logical structures on a hard drive.
Also referred to as an allocation unit, a unit of disk space that's allocated for files and directories.
To understand this better, let's take a quick look at hard disks. The hard disk on which an operating system is installed is broken into large pieces called clusters or allocation units. Each cluster contains a number of sectors. A disk partition contains those sectors. Without additional support, each partition would be one large unit of data. Operating systems add a directory structure to assign names to each file and manage the free space available to create new files. The directory structure and method for organizing a partition is called a file system.
Different file systems reflect different operating system requirements. Some work better on small machines; others work better on large servers. The same hard disk can have partitions with file systems belonging to DOS, Windows, or Linux. When more than one file system type is installed on a hard drive, this is called a multiboot or dual-boot configuration.
FAT/NTFS
A file system keeps a table of contents (TOC) of files on a drive. When a file is requested, that TOC is searched to locate and access the file. One common file system is File Allocation Table (FAT). Each cluster has an entry in the FAT that describes how it is used. The operating system uses FAT entries to chain together clusters that form files.
A simple file system used by DOS, but supported by later Microsoft (and other) operating systems. The FAT resides at the beginning of a disk partition and acts as a table of contents for stored data.
In the 1970s, PC file systems were designed to support floppy disks. Hard disk support came later. DOS uses the FAT file system, which is also supported by all other DOS- and Windows-based operating systems. Early versions of DOS used FAT12. The FAT system for later versions of DOS and older versions of Windows 95 is called FAT16. It is simple, reliable, and uses little storage. The FAT is stored at the beginning of the partition to act as the table of contents. To protect the partition, two copies of the FAT are kept in the event that one becomes damaged. The FAT structure doesn't have a lot of organization; files are given the first open location on the disk.
Virtual FAT (VFAT) or FAT32, is an enhanced version of the FAT file system. It's available in Windows 95 and early versions of Windows NT. It allows files to have longer names than the 8.3 convention adopted by DOS. FAT32 also accommodates the use of smaller allocation units on a disk. The 8.3 convention is the original FAT file naming system, in which filenames could be up to eight characters long and files had three character extensions, or less, such as .txt, .doc, .ext, .bat, .bin, and so forth.
Also called FAT32, an enhanced version of the FAT file system that allows for names longer than the 8.3 convention and uses smaller allocation units on the disk.
The extended FAT (exFAT) file system is an enhanced version of VFAT/FAT32. This file system is available in Windows Vista SP1, Windows 7, and Windows Server 2008 (and for embedded devices on Windows Embedded Compact 6.0—often referred to as Windows CE or Windows Embedded CE—and newer versions). It supports disk partitions of up to 64 zettabytes (ZB); 512 TB is the current recommended maximum. Individual files can be as large as 16 Exabytes, but are also subject to the 512 TB partition limit (or smaller). The exFAT file system also supports nearly 2.8 million files per directory (up from 65,535 in FAT32), and improved free space allocation and delete performance.
Sometimes (and incorrectly) called FAT64, this extended version of the FAT file system was developed to keep FAT working with the kinds of large hard disks (1 TB and larger) now so widely installed in modern desktop and notebook PCs.
The New Technology File System (NTFS) was developed expressly for versions of Windows NT and Windows 2000. Windows NT supports NTFS 4 and Windows 2000 and higher support NTFS 5. Windows Vista and Windows Server 2008 and higher support NTFS 6. Only Windows NT and higher Windows operating systems can use data on an NTFS volume. NTFS organizes files into directories, which are then sorted. It also keeps track of transactions against the file system, making it a recoverable file system. The following graphic shows a copy of the file structure on a Windows 7 computer.
New Technology File System (NTFS)
A file system supported by Windows NT and higher-level Windows operating systems, including Windows Server 2000, 2003, and 2008, and Windows XP, Vista, and 7.
Figure 2.7: Windows folder hierarchy structure is laid out clearly in this treemap listing from WinDirStat.
Notice the lines on the left side of the screen. Those lines indicate how many directories deep you are. In modern Windows versions file structures can go 20 or more levels deep.
Various UNIX/Linux File Systems
UNIX has been around for decades, making it the oldest of all file systems used on PC hardware. Also, UNIX file systems probably differ the most from other file systems used on PCs. The UNIX file system is organized as a hierarchy of directories starting from a single directory called root, which is represented by a slash (/).
UNIX looks at all disks and storage devices as part of one file system. Likewise, all Linux files are in one tree; there is no concept of drives such as A, B, C, and D. Storage devices are linked to the directory structure. In other words, a floppy disk may be accessed at /mnt/floppy and a CD-ROM on /cdrom. Any subdirectories that are created use the storage space assigned to their parent directory—unless they are assigned their own storage space. Filenames are case sensitive, so TEST and test are two different files.
The Linux operating system supports multiple and different file systems. To enable upper levels of the OS core to deal with these file systems, Linux defines an intermediary layer, known as the Virtual File System (VFS). Just as in UNIX, there are no drive letters in Linux. Instead, Linux creates a virtual file system, which makes all files on all devices appear to exist on one device. In Linux, as with UNIX, there is one root directory, and every file you can access is located under it.
Second/Third Extended Filesystems (ext2/ext3) are state-based file systems. This means the file system maintains state for all open files in memory—in other words, all open files have corresponding entries in data structures in memory.
Second/Third Extended Filesystems (ext2/ext3)
State-based filesystems used by the Linux operating system.
Beginning with Red Hat Linux 7.2, the default file system changed from the ext2 format to the journaling ext3 file system. The ext3 file system is an enhanced version of the ext2 file system. It keeps logs and checkpoints for all transactions so that a file system check is no longer necessary after an unclean system shutdown. This way, if a system crashes, it can restore the file system using those logs.
The Network File System (NFS) was originally developed at Sun Microsystems in the 1980s to create a file system for diskless clients (networked computers with no local storage devices that rely upon servers for all their storage needs). NFS provides network access to shared file systems. The primary function of NFS is to mount directories to other computers. These directories can then be accessed as though they were local. This works the same way that mapped drives work in Microsoft networking.
Provides remote access to shared file systems across networks. The primary function of NFS is to mount directories to other computers. These directories can then be accessed as though they were local.
Other File Systems
We've covered several file systems in this chapter; however, there are many other file systems available that are outside the scope of this book. The section "Tales from the Trenches: A Preparation War Story" presented earlier in this chapter warns that you can't always anticipate every possible contingency before you head into the field. We must also recognize that we can't arm you with information on every conceivable topic, nor every specific file system.
If you come across another file system that we don't mention here, remember that the Internet can be your biggest friend and ally. Other file systems we know about (and mentioned in the previous version of this book) include BFS (the BeOS File System designed for an alternative Power PC and PC operating system in the mid-1990s) and HPFS (the High Performance File System native to OS/2).
Indeed, other file systems abound, including the distributed Andrew File System (AFS), the Common Internet File System (CIFS), and even mainframe holdovers like the Hierarchical File System (or HFS). For less common file systems, you can use your favorite Internet search engine to learn more, or even to search for specific forensic tools if you should need them to capture and preserve data.
Maintain Tools and Procedures for Each Operating System and File System
The challenge for computer forensic scientists is to develop methods and techniques that provide valid and reliable results while preserving evidence and preventing harm to information. You need to have procedures and tools in place so that you can more easily collect the evidence you need.
What happens if a system is set up to log every event imaginable? The system's hard drive space will fill up, and someone will have to weed through all the collected information to figure out which events really can help an investigation. Having good procedures in place and conducting proper maintenance of your tools will help make the forensic process run more smoothly.
Preinstalled Tools Make Forensics Easier
For computer forensic science to be effective, it must be driven by information discovered during an investigation. Many systems currently include 500 GB or higher capacity hard disks. From a practical standpoint, it may be impossible to examine every file stored on a seized computer system. It could be equally difficult for law enforcement personnel to sort through, read, and comprehend the amount of information contained within files on today's huge systems. So, we'll take a look at some tools that can help you with this seemingly arduous task.
Eventually, you will work with a forensic toolkit. For now, let's look at the tools that are already installed on most operating systems. These are tools that you can readily take advantage of and use. All operating systems come with the ability to log events. Because Windows 7 is a popular operating system these days, we'll look at how it logs events. Event Viewer allows you to audit certain events. Event Viewer maintains three log files: one for system processes, one for security information, and one for applications. Figure 2.8 was captured on a Windows 7 computer. In Windows Server 2003 and 2008 versions, you will also find directory services, DNS server, and file replication logs, among many others.
Figure 2.8: The Windows 7 Event Viewer provides ready access to Windows audit logs and logged event detail.
Auditing Users and File Access
Auditing is the process of tracking users and their actions on a network and its component systems. You should audit access use and rights changes to prevent unauthorized or unintentional access by a guest or restricted user account. This will stymie unauthorized access to sensitive or protected resources. How much you should audit depends on how much information you want to store. Keep in mind that auditing should be a clear-cut activity built around equally transparent goals and policies.
The process of tracking who's logging in and accessing what files.
When deciding what to audit, first identify potential resources at risk within your networking environment. These resources might typically include sensitive files, financial applications, and personnel files. After those resources are identified, set up an audit policy using operating system tools. It can be useful to monitor successful as well as failed access attempts. Failure events allow you to identify attempts at unauthorized access; successful events can reveal accidental or intentional (but unwanted) escalations of access rights.
Each operating system has its own methods to track and log access. Auditing is resource intensive and can easily add an additional 25 percent load to any server. Make time to view your logs. Log files can't help protect against a system compromise if an intrusion recorded in your logs isn't read for six months. Most operating systems produce log files in text file format, but viewing data graphically is much easier than interpreting text. If possible, import your log files into some type of database or log analysis tool.
|
|
Tip |
Auditing can be as simple or as complex as you want to make it. Regardless of the auditing plan you devise, be consistent. |
Tracking Incoming and Outgoing Computer Access
Most operating systems also include built-in utilities for tracking the address of a computer and tracing the route it takes to get to a destination on the Internet. Producing and recording such information can be quite important when internal users are engaging in malicious activity. With the advent of business-to-business activities, using tracking utilities is also a good way to know when employees are accessing the sites of business partners.
This section discussed tools that are already in place to track information traveling across a network. After you obtain this information, how can you use it? Can you accuse an employee of hacking based on the information that you have gathered? Such questions fall under the scope of knowing your legal limits, so let's move on and see what you can and cannot do with the information you gather, assemble, or produce as you conduct an investigation.
Know Your Limits
When an intrusion is detected, you must know to what lengths you can go to minimize the damage and also whether you can seize property. For example, let's say that you have determined that an employee has installed hacking tools on your network and he has hacked into a business partner's network. He then proceeded to steal passwords. Can you search his computer for evidence without a warrant? What about that UFD he carries on his keychain? Is that a work-related item or a personal item? These are the types of questions you'll need to answer before you act.
Legal Organizational Rights and Limits
Employers can be either public or private. This distinction is important because government employers are bound by the Fourth Amendment, as discussed in the next section. Not everything that passes through a business door can be considered part of the workplace. For example, the contents of an employee's purse or briefcase maintain their private character even though an employee brings them to work. Although circumstances might permit a supervisor to search an employee's desk for a work-related file, a supervisor must usually leave an employee's purse or briefcase alone.
When confronted with this issue, courts have analogized electronic storage devices to closed containers, and they have reasoned that accessing the information stored within an electronic storage device is akin to opening a closed container. Because individuals generally retain a reasonable expectation of privacy for the contents of closed containers, they also generally retain a reasonable expectation of privacy for data held within electronic storage devices.
Here are some cases to which you can refer for guidance:
· United States v. Ross, 456 U.S. 798, 822–23 (1982)
· United States v. Barth, 26 F. Supp. 2d 929, 936–37 (W.D. Tex. 1998)
· United States v. Reyes, 922 F. Supp. 818, 832–33 (S.D.N.Y. 1996)
· United States v. Lynch, 908 F. Supp. 284, 287 (D.V.I. 1995)
· United States v. Chan, 830 F. Supp. 531, 535 (N.D. Cal. 1993)
· United States v. Blas, 1990 WL 265179, at *21 (E.D. Wis. Dec. 4, 1990)
This analysis has interesting implications for items such as UFDs or external USB drives, which can be either work-related or private, depending on the circumstances. It is probably reasonable for employers to assume that UFDs found at an office are part of the workplace, but a court could treat a UFD that belongs to an employee as if it were a private, personal item.
Generally speaking, an employer may consent to a search of an employee's computer and peripherals if the employer has common authority over the equipment. There are currently no cases specifically addressing an employer's consent to search and seize an employee's computer and related items. However, cases exist that discuss searches of an employee's designated work area or desk.
In an electronic environment, employees do not know when a network administrator, supervisor, or anyone else accesses their data. As a practical matter, system administrators can, and sometimes do, look at data. But when they do, they leave no physical clues that would tell a user they have opened one of his files. Some users who are unfamiliar with computer technology may believe that their data is completely private. If an organization has published clear policies about privacy on the network, this effort would support the position that the user has granted implied consent to a search by working there under such a policy. However, if an organization or administration has not addressed these issues with its users and the situation remains ambiguous, the safest course is to obtain and exercise a warrant.
Search and Seizure Guidelines
The Fourth Amendment limits the ability of government agents to search for evidence without a warrant. It states "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
A warrantless search does not violate the Fourth Amendment if one of two conditions is met. Accordingly, investigators must consider two issues when asking if a government search of a computer requires a warrant:
· Does the search violate a reasonable expectation of privacy?
· If so, is the search nonetheless reasonable because it falls within an exception to the warrant requirement?
The most basic Fourth Amendment question in computer cases asks whether an individual enjoys a reasonable expectation of privacy in electronic information stored within computers or other electronic storage devices under that individual's control. For example, do individuals have a reasonable expectation of privacy in the contents of their laptop computers, floppy disks, or pagers? If the answer is yes, the government ordinarily must obtain a warrant before it accesses the information stored inside. A search is constitutional if it does not violate a person's "reasonable" or "legitimate" expectation of privacy [Katz v. United States, 389 U.S. 347, 362 (1967) (Harlan, J., concurring)]. In most cases, a defendant's subjective expectation of privacy focuses on whether the expectation of privacy was reasonable.
Recognizing that government agencies could not function properly if supervisors had to establish probable cause and obtain a warrant every time they needed to look for a file in an employee's office, in O'Connor v. Ortega, 480 U.S. 709 (1987), the Supreme Court held that two kinds of searches are exempt. Specifically, both (1) a non-investigatory, work-related intrusion and (2) an investigatory search for evidence of suspected work-related employee misfeasance are permissible without a warrant and should be judged by the standard of reasonableness (Id. at 725-26). These exemptions are stated under the Federal Guidelines for Searching and Seizing Computers. Access that document at http://www.knock-knock.com/federal_guidelines.htm.
Agents must evaluate whether a public employee retains a reasonable expectation of privacy in the workplace on a case-by-case basis, but written employment policies can simplify this task dramatically. See O'Connor v. Orgeta, 480 U.S. 709 at 717 (plurality). Courts have uniformly deferred to public employers' official policies that expressly authorize access to the employee's workspace, and they have relied on such policies when ruling that an employee cannot retain a reasonable expectation of privacy in the workplace. See the following cases:
· American Postal Workers Union, Columbus Area Local AFL-CIO v. United States Postal Serv., 871 F.2d 556, 59–61 (6th Cir. 1989)
· United States v. Bunkers, 521 F.2d 1217, 1219–21 (9th Cir. 1975)
When planning to search a government computer in a government workplace, agents must look for official employment policies or "banners" to defeat a reasonable expectation of privacy.
Will This End Up in Court?
In the event that an incident is sufficiently serious, and the organizational policy is to prosecute, an investigation could end up in court. Courts require that information contained in the equipment (and not the equipment itself) be seized and that ample, unaltered information be presented in each case. Court compliance could require cooperative efforts between law enforcement officers and a computer forensic examiner to make sure that technical resources suffice to address both the scope and complexity of a search.
Computer forensic examiners can help prosecute a case with advice about how to present computer-related evidence in court. They can help prepare a case and anticipate and rebut defense claims. In addition, forensic examiners can assist prosecutors in complying with federal rules pertaining to expert witnesses. Under these rules, the government must provide, upon request, a written summary of expert testimony that it intends to use during its case. There is a reciprocal requirement for a summary of defense expert-witness testimony, as long as the defense has requested a summary from the government, and the government has complied.
Should this situation arise, make sure all evidence is processed properly. Good laboratory practices ensure the quality and integrity of evidence by dictating how examinations are planned, performed, monitored, recorded, and reported. Unless you work for law enforcement, you probably don't have a lab to process evidence; however, most large organizations do have a specially trained team to identify and collect evidence for any incidents that arise.
Often incidents occur that aren't actually crimes and require only internal investigation. The same specially trained team conducts those investigations and is also aware of what constitutes a crime that would require law enforcement involvement. Let's take a closer look at how such a team should be organized and how it works.
Develop Your Incident Response Team
Organizational policies and practices provide important guidance that applies to forensic examinations. They are designed to ensure quality and efficiency in the workplace. In an effort to properly preserve evidence, you must establish and make ready an incident response team (IRT). That team needs to know how to handle workplace situations they will encounter when conducting investigations.
A team of individuals trained and prepared to recognize and immediately respond appropriately to any security incident.
Organize the Team
Incident response plans are needed so that you can intelligently react to intrusions, security breaches, or other identifiable incidents. More important is the issue of legal liability. You are potentially liable for damages caused by a hacker using your machines, so you will want to preserve any evidence you collect during an investigation.
The actions an organization takes when it detects an attack, whether ongoing or after the fact.
You must be able to prove to a court that you took reasonable measures to defend yourself from hackers. You must also present any evidence as clearly and concisely as possible. If a plan is not in place and duties not clearly assigned, your organization may wind up in a state of disarray. Failure to plan for security breaches and other incidents could result in a negative outcome in court.
The components of an incident response plan should include preparation, roles, rules, and procedures. Once a plan is prepared, appoint response team members. Note that this is not a full-time assignment; it is simply a group of people with obligations to act in a responsible manner when an incident occurs to which some response is warranted.
|
|
Note |
Never underestimate the effect an incident has on employees. Disruptions in the workplace not only cause confusion, they also disturb employee schedules and diminish productivity. |
An incident response team is responsible for containing damage and getting systems back up and running properly. These steps include determination of the incident, formal notification to appropriate departments, and the recovering of essential network resources. With this in mind, the team should include the following personnel:
· Security and IT staff
· Someone to handle communication with management and employees
· Someone to handle communication with vendors, business partners, and the press
· Developers of in-house applications and interfaces
· Database managers
The entire team is responsible for successful incident handling. The entire team must remain in place until an incident is closed.
State Clear Processes
The basic premise of incident handling and response is that an organization needs a clear action plan to define procedures to be followed when an incident occurs. These procedures should include:
· Identifying initial infected resources by obtaining preliminary information about what kind of attack is underway, and what potential for damage exists.
· Notifying key personnel, such as the security department and the incident response team.
· Assembling the response team for duty assignments and selecting an incident lead.
· Diagnosing problems, identifying potential solutions, and setting priorities. The security response team must be clear about what to do, especially if potential damages are high.
· Escalating problems to additional teams if necessary. The key is to understand what actually happened and how severe any attack might be.
· Gathering all information learned about the incident up to its resolution, and storing it in a secure location on secure media, in case it may be needed for potential legal action.
· Communicating about the incident. This may include reporting it to law enforcement, IT security companies, or possibly customers and regulatory agencies.
|
|
Note |
If an event is newsworthy, expect media contact. Make sure someone is authorized—and prepared—to speak to the media. |
The team should prepare an incident report to determine and document incident causes and ultimate solutions. This report should be an internal document that puts everything, from the minute the incident was noticed until the minute service is restored, into perspective.
Coordinate with Local Law Enforcement
Local law enforcement relies on network administrators to report when their systems get hacked, but alas, intrusion victims are often reluctant to call the authorities. This reluctance is reflected in surveys conducted jointly by the Computer Security Institute and the FBI. Only 25 percent of respondents who experienced computer intrusions reported those incidents.
If organizations do not report incidents, law enforcement cannot provide an appropriate or effective response. Networks are getting more complex and more vulnerable to intrusions. Law enforcement agencies are familiar with computer crime investigations, view intrusions as important, and do respond appropriately. They are able to refer reports promptly to the proper agencies if they are not equipped to handle more complex cases.
Publicity is frequently an issue for victims of computer crime. Law enforcement is trained to be sensitive to victims' concerns about publicity and seizure of data. Many investigations also require information from the victim's incident response team.